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1. Introduction
ACLEncode is a tool that allows you to encode files as Access Control Entries
(ACEs) attached to a files. ACEs exist in the Access Control List (ACL) of
a file on an NTFS filesystem. This list of entries tells Windows which users
and groups have permission to perform various acts on a file such as reading,
writing, executing, etc.

ACLEncode takes a file and encodes it as multiple ACEs and spreads them out
across many files. ACLEncode simply chops up a file and writes the bytes
as-is into ACEs without performing any data scrambling or encrypting operations.

---------------------------------------------------------------------------
2. How it works / Limitations
ACLEncode encodes files as Security Identifiers (S-IDs) within ACEs.
The maximum length for each S-ID is 68 bytes, however 8 bytes are used for
other purposes. As a result, ACLEncode can only encode 60 bytes of a file
within each ACE.

ACLEncode splits up your input file into 60-byte chunks and writes each
chunk into ACEs that are placed onto a list of files that you choose.

Each file's Access Control List can only hold a maximum of 64kB. As a result,
the sum of all Access Control Entries must be less than 64kB.

Using the maximum size for each of the components of an ACE, this brings the
total to about 860 entries per file, provided there are NO OTHER ACEs present
for legitimate purposes.

ACLEncode is designed to limit its use to 512 entries per file to acommodate
legitimate ACEs.

---------------------------------------------------------------------------
3. Usage
ACLEncode needs to know where to write all of the ACEs. You must provide a
text file with a list of fully-qualified paths to files that exist on an
NTFS volume.

You can create a file list quickly using the "Create Filelist" button.

Once you have a list of files you can choose a TARGET file to encode, then
click Encode. It's as simple as that.

---------------------------------------------------------------------------
4. Warnings
Be aware that when NTFS is being queried for a new S-ID it has never heard of,
it will store that S-ID for future use to speed up future permission checks.
This means each chunk of your file will be cached for the future.

NTFS has *NO* ability to prune this list of cached S-IDs by design. This
means even after you've removed ACEs from a file's ACL, the S-ID file chunk
will stay behind forever.

If you encode a 100MB file now and remove it from your file's ACLs,
that 100MB will never be reclaimed.
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